Re: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)

[exon <exon () home se>]

Such an attempt would be extraordinarily futile, since no sane attacker
uses his own computer to attack from, but rather generates the packets he
wants to send on a remote machine (which ofcourse is rooted) and from
there it is often relayed through one or more other machines in order to
make a *COMPLETE* traceback something of a superhuman effort.

Oh, btw.. the connection to the packet-generating machine may also be
relayed through other computers.

The trace might look something like this (but with a random number of
'hacked waypoints')

Attacker->Random number of hops->Hacked waypoint 1 (relay)->Random number
of hops->Hacked waypoint 2 (packet generator)->Random number of
hops->Target

All in all, there could be about 200 hops to trace. Some will be easy,
even though sysadmins on the various networks might be reluctant to
cooperate or to hand over their logfiles, and some will be near
impossible, since logfiles will be edited on the hacked waypoints.

But by all means. If you have nothing else to do with your time, try
writing a 'syslog-handout' server, that at least makes it easier to trace
the 'legal' hops. That way one compromised host at a time can be
notified.

This implies ofcourse that the admins on THAT host are innocent,
which isn't necessarily the case, but who's gonna prove it?

Installing a rootkit on your own machine and doing the hacking from there
is, after all, step one in getting that first waypoint host. Who's NOT
going to believe the poor sysadmin with a blank criminal record?

/Andy

PS.
Happy hunting. ;)

On Tue, 17 Jun 2003, Anders Reed Mohn wrote:

> Forgive me if this just ends up in a stupid question, but
> having watched this thread for a while now, it strikes me 
> as odd that noone has been able to trace the origin of any 
> of these packets yet.
> These packets are now widely known (and have been 
> discussed on other lists, in the news etc, as well), and there 
> are quite a few network admins aware of this.
>
> Is it not possible for a few to get together and track down at 
> least _one_ source computer?
>
> It seems to me that you are all putting a awful lot of effort in logging
> and tracking and making statistics.
> This is of course a good thing, but if we want to figure this thing out,
> there's more that need to be done.
>
> I know.. spoofed addresses.. but that
> does not mean we cannot trace packets to a certain extent.
> A shitty job, but unfortunately the only way of going about this, if
> we want to track it down for real.
> Also, it seems from some posters that not all sources are spoofed.
>
> Are you guys talking to your ISP's about this? I am sure the average
> ISP has at least one techhead that would be interested in digging a little
> in this, and I am guessing that several ISPs read this list as well.
> I'm not currently working as a network admin, so I'm not in a position
> to do much hunting in logs myself, unfortunately.
>  
> So, what's happenin' dudes? Can we mount a common effort to track 
> this down?
> Any ISP techs reading this, who sees these packets coming out from their
> networks? Do you contact the "offenders"?
>
> Cheers,
> Anders :)
>
> ----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------